;------------------------------- ; #EA ; patched RWTS and p-code madness ; ; module by qkumba ;------------------------------- !zone { bit gMode ; nothing to do here in verify-only mode bpl .jmpexit lda gIsEA ; only ever seen this protection beq + ; on Electronic Arts titles jmp .dostitles .jmpexit jmp .exit + ldy #40 jsr SearchTrack !byte $8D,$6F,$BC ;STA $BC6F !byte $8C,$70,$BC ;STY $BC70 !byte $A0,$20 ;LDY #$20 !byte $88 ;DEY !byte $F0,$D7 ;BEQ -$D7 !byte $AD,$EC,$C0 ;LDA $C0EC !byte $10,$FB ;BPL -$FB !byte $49,$D5 ;EOR #$D5 !byte $D0,$F4 ;BNE -$F4 !byte $EA ;NOP !byte $AD,$EC,$C0 ;LDA $C0EC !byte $10,$FB ;BPL -$FB !byte $C9,$BB ;CMP #$BB !byte $D0,$F2 ;BNE -$F2 !byte $EA ;NOP !byte $AD,$EC,$C0 ;LDA $C0EC !byte $10,$FB ;BPL -$FB !byte $C9,$CF ;CMP #$CF !byte $D0,$E8 ;BNE -$E8 bcs + pha txa clc adc #27 tax adc #10 sta .patch2+1 pla pha ldy #1 jsr modify !byte $AA ;data prologue #2 .patch2 ldx #$D1 pla ldy #1 jsr modify !byte $AD ;data prologue #3 + ldy #13 jsr SearchTrack !byte $03,$49 ;LDI #$05 !byte $01,$03,$65 ;JSRA $bc00 !byte $01,$03,$79 ;JSRA $a000 !byte $03,$4C ;LDI #$00 !byte $04,$EB,$19 ;LDA $c0e8 bcs + inx inx inx inx inx ldy #1 jsr modify !byte $04 + ldy #15 jsr SearchTrack ;enciphered call to p-code as above !byte $BF,$9F,$BE,$F6,$04,$2E,$9B,$DA !byte $5A,$16,$DA,$30,$06,$45,$C2 bcs + inx ldy #1 jsr modify !byte $EE ;enciphered jsra->lda to disable call + ldy #8 jsr SearchTrack !byte $20,$10,$07 ;JSR $0710 !byte $A5,$56 ;LDA $56 !byte $D0,$A7 ;BNE -$A7 !byte $4C ;JMP $xxxx bcs + inx inx inx inx inx inx ldy #1 jsr modify !byte $00 ;disable branch + ldy #15 jsr SearchTrack !byte $03,$49 ;LDI #$05 !byte $01,$03,$65 ;JSRA $bc00 !byte $03,$4C ;LDI #$00 !byte $01,$03,$79 ;JSRA $a000 !byte $07,$01 ;SUB #$4d !byte $0F,$F5,$70 ;BNE $a9f6 bcs + pha lda #s_tamper jsr PrintByID txa adc #7 tax adc #4 sta .patch3 + 1 pla pha ldy #1 jsr modify !byte $04 ;new checksum value for sub pla .patch3 ldx #$D1 ldy #1 jsr modify !byte $00 ;jsra->lda to disable call ;routine loops infinitely on failure + ldy #13 jsr SearchTrack !byte $4C,$E7,$B2 ;JMP $B2E7 !byte $4C,$74,$B3 ;JMP $B374 !byte $00,$00 ;filler !byte $C9,$CB ;CMP #$CB !byte $D0,$7C ;BNE +$7C !byte $60 ;RTS bcs + pha lda #s_tamper jsr PrintByID txa adc #11 tax pla ldy #1 jsr modify !byte $00 ;disable branch + ldy #15 jsr SearchTrack !byte $03,$49 ;LDI #$05 !byte $01,$03,$65 ;JSR $BC00 !byte $03,$4C ;LDI #$00 !byte $01,$03,$6C ;JSR $B500 !byte $07,$1C ;SUB #$50 !byte $0F,$78,$60 ;BNE $B97B bcs + pha lda #s_tamper jsr PrintByID txa adc #11 tax pla ldy #1 jsr modify !byte $4C ;new checksum value for sub + ldy #14 jsr SearchTrack !byte $78 ;SEI !byte $20,$00,$D7 ;JSR $D700 !byte $C9,$4D ;CMP #$4D !byte $F0,$06 ;BEQ +$06 !byte $20,$67,$67 ;JSR $6767 !byte $20,$AA,$BF ;JSR $BFAA bcs + pha lda #s_tamper jsr PrintByID pla inx inx inx inx inx ldy #1 jsr modify !byte $00 ;new checksum value for cmp + ldy #9 jsr SearchTrack !byte $20,$84,$6E ;JSR $6E84 !byte $A5,$11 ;LDA $11 !byte $C9,$52 ;CMP #$52 !byte $F0,$03 ;BEQ +$03 bcs + pha lda #s_tamper jsr PrintByID pla inx inx inx inx inx inx ldy #1 jsr modify !byte $50 ;new checksum value for cmp + ldy #7 jsr SearchTrack !byte $20,$86,$6E ;JSR $6E86 !byte $C9,$52 ;CMP #$52 !byte $D0,$DB ;BNE -$DB bcs + pha lda #s_tamper jsr PrintByID pla inx inx inx inx ldy #1 jsr modify !byte $50 ;new checksum value for cmp + ldy #12 jsr SearchTrack !byte $20,$3E,$91 ;JSR $913E !byte $20,$F3,$76 ;JSR $76F3 !byte $20,$00,$61 ;JSR $6100 !byte $4C,$94,$69 ;JMP $6994 bcs + inx inx inx inx inx inx ldy #1 jsr modify !byte $2C ;JSR->BIT + ldy #23 jsr SearchTrack ;looks like garbage because it's enciphered !byte $03,$5B ;LDI #$00 !byte $06,$FF,$97 ;STA $4ee4 !byte $1C,$E0,$8F ;JSRA $4ce3 !byte $05,$FB,$95 ;JSRA $4ce3 !byte $19,$E0,$88 ;JSRA $4ce3 !byte $05,$FE,$95 ;JSRA $4ce3 !byte $1B,$EB,$39 ;LDA $c0e8 !byte $04,$C6,$97 ;LDA $4ee4 bcs + pha txa adc #21 tax pla ldy #1 jsr modify !byte $C7 ;lda from known-zero instead + ldy #23 jsr SearchTrack !byte $03,$4C ;LDI #$00 !byte $06,$E1,$DE ;STA $07e2 !byte $05,$CC,$DC ;JSRA $05cf !byte $05,$CC,$DC ;JSRA $05cf !byte $05,$CC,$DC ;JSRA $05cf !byte $05,$CC,$DC ;JSRA $05cf !byte $04,$EB,$19 ;LDA $c0e8 !byte $04,$E1,$DE ;LDA $07e2 bcs + pha txa adc #21 tax pla ldy #1 jsr modify !byte $E0 ;lda from known-zero instead + ldy #23 jsr SearchTrack !byte $03,$4C ;LDI #$00 !byte $07,$E1,$DE ;STA $07e2 !byte $04,$CC,$DC ;JSRA $05cf !byte $04,$CC,$DC ;JSRA $05cf !byte $04,$CC,$DC ;JSRA $05cf !byte $04,$CC,$DC ;JSRA $05cf !byte $05,$EB,$19 ;LDA $c0e8 !byte $05,$E1,$DE ;LDA $07e2 bcs + pha txa adc #21 tax pla ldy #1 jsr modify !byte $E0 ;lda from known-zero instead + ldy #23 jsr SearchTrack !byte $03,$4C ;LDI #$00 !byte $06,$E1,$E0 ;STA $39e2 !byte $05,$D3,$EE ;JSRA $37d0 !byte $05,$D3,$EE ;JSRA $37d0 !byte $05,$D3,$EE ;JSRA $37d0 !byte $05,$D3,$EE ;JSRA $37d0 !byte $04,$EB,$19 ;LDA $c0e8 !byte $04,$E1,$E0 ;LDA $39e2 bcs + pha txa adc #21 tax pla ldy #1 jsr modify !byte $E0 ;lda from known-zero instead + ldy #31 jsr SearchTrack !byte $03,$4C ;LDI #$00 !byte $06,$E1,$7B ;STA $a2e2 !byte $03,$AB ;LDI #$e7 !byte $05,$02,$78 ;JSRA $a101 !byte $03,$AD ;LDI #$e1 !byte $05,$02,$78 ;JSRA $a101 !byte $03,$AB ;LDI #$e7 !byte $05,$02,$78 ;JSRA $a101 !byte $03,$A9 ;LDI #$e5 !byte $05,$02,$78 ;JSRA $a101 !byte $04,$EB,$19 ;LDA $c0e8 !byte $04,$E1,$7B ;LDA $a2e2 bcs + pha txa adc #29 tax pla ldy #1 jsr modify !byte $D1 ;lda from known-zero instead + ldy #16 jsr SearchTrack !byte $49,$4E ;EOR #$4E !byte $09,$2B ;ORA #$2B !byte $48 ;PHA !byte $A9,$04 ;LDA #$04 !byte $48 ;PHA !byte $A5,$4F ;LDA $4F !byte $45,$4F ;EOR $4F !byte $18 ;CLC !byte $E9,$00 ;SBC #$00 !byte $48 ;PHA bcs + pha lda #s_tamper jsr PrintByID pla inx ldy #1 jsr modify !byte $E8 ;new checksum value for eor + ldy #14 jsr SearchTrack !byte $AD,$00,$05 ;LDA $0500 !byte $A2,$FF ;LDX #$FF !byte $5D,$00,$05 ;EOR $0500,X !byte $CA ;DEX !byte $D0,$FA ;BNE *-4 !byte $C9,$A0 ;CMP #$A0 !byte $F0 ;BEQ *+xx bcs + pha lda #s_tamper jsr PrintByID txa adc #12 tax pla ldy #1 jsr modify !byte $A1 ;new checksum value for eor + ldy #24 jsr SearchTrack !byte $04,$4F,$D9 ;LDA $004c !byte $0A,$03,$7B ;LDX ($a200,A) !byte $10,$F1,$70 ;SUB $a9f2 !byte $06,$F1,$70 ;STA $a9f2 !byte $0C,$4F,$D9 ;INC $004c !byte $07,$AC ;CMP #$e0 !byte $0F,$E5,$71 ;BNE $a8e6 !byte $04,$F1,$70 ;LDA $a9f2 !byte $07 ;CMP #$xx bcs + pha lda #s_tamper jsr PrintByID txa adc #24 tax pla ldy #1 jsr compare !byte $AB bcs ++ ldy #1 jsr modify !byte $BB ;new checksum value for eor jmp + ++ ldy #1 jsr compare !byte $DB bcs ++ ldy #1 jsr modify !byte $D4 ;new checksum value for eor ++ + ldy #23 jsr SearchTrack !byte $03,$4C ;LDI #$00 !byte $06,$E1,$7b ;STA $a2e2 !byte $05,$CC,$79 ;JSRA $a0cf !byte $05,$CC,$79 ;JSRA $a0cf !byte $05,$CC,$79 ;JSRA $a0cf !byte $05,$CC,$79 ;JSRA $a0cf !byte $04,$EB,$19 ;LDA $c0e8 !byte $04,$E1,$7b ;LDA $a2e2 bcs + pha txa adc #21 tax pla ldy #1 jsr modify !byte $E0 ;lda from known-zero instead + ldy #23 jsr SearchTrack !byte $03,$9C ;LDI #$00 !byte $06,$31,$66 ;STA $bfe2 !byte $D5,$CC,$B4 ;JSRA $bdcf !byte $05,$1C,$64 ;JSRA $bdcf !byte $D5,$CC,$B4 ;JSRA $bdcf !byte $05,$1C,$64 ;JSRA $bdcf !byte $D4,$EB,$C9 ;LDA $c0e8 !byte $04,$31,$66 ;LDA $bfe2 bcs + pha txa adc #21 tax pla ldy #1 jsr modify !byte $30 ;lda from known-zero instead + ldy #14 jsr SearchTrack !byte $58,$0D !byte $F1,$5D !byte $5A,$0D !byte $74,$00 !byte $5C,$0D !byte $5E,$00 !byte $5E,$0D bcs .exit pha lda #s_tamper jsr PrintByID pla inx inx ldy #1 jsr modify !byte $F0 ;new checksum value for eor + .dostitles lda gIsBoot0 bne .exit ldy #23 jsr SearchTrack !byte $09,$7A ;LDI #$00 !byte $06,$7E,$A3 ;STA $0ee2 !byte $08,$4D,$A1 ;JSRA $0cd1 !byte $08,$4D,$A1 ;JSRA $0cd1 !byte $08,$4D,$A1 ;JSRA $0cd1 !byte $08,$4D,$A1 ;JSRA $0cd1 !byte $07,$74,$6D ;LDA $c0e8 !byte $07,$7E,$A3 ;LDA $0ee2 bcs + pha txa adc #21 tax pla ldy #1 jsr modify !byte $7F ;lda from known-zero instead + ldy #13 jsr SearchTrack !byte $A2,$04 ;LDX #$04 !byte $20,$4F,$1E ;JSR $1E4F !byte $20,$00,$A6 ;JSR $A600 !byte $A5,$48 ;LDA $48 !byte $D0,$01 ;BNE +$01 !byte $60 ;RTS bcs + pha txa adc #11 tax pla ldy #1 jsr modify !byte $00 ;disable branch + .exit }